Re: MFA/2FA Implementation Questions

[Greg Williams <gwillia5 () UCCS EDU>]

We had a very successful rollout.

Some stats and gotcha's:

21k accounts currently protected
15 initially didn't have a phone so we opted those people out
90% decrease year over year with successful phishing attacks with conditional access enabled

The attackers will actually bypass modern auth if you don't enforce it , therefore bypassing conditional access.  This 
is a security risk.  We found this out a year after we turned on MFA.

How we did it: Communicate to EVERYONE multiple times over a 3 month period and gave deadlines to answer the questions 
that are presented upon login before fully enforcing.


Greg Williams, ME
Director of Operations
Office of Information Technology

Adjunct Faculty
Department of Computer Science - College of Engineering and Applied Science

University of Colorado Colorado Springs
1420 Austin Bluffs Parkway, (EPC 144)
Colorado Springs, CO 80918
Phone: (719) 255-3292<tel:(719)%20255-3292>
Chat with me on Microsoft Teams<https://teams.microsoft.com/l/chat/0/0?users=gwillia5 () uccs edu>


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Pardonek, Jim
Sent: Tuesday, February 4, 2020 8:26 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] MFA/2FA Implementation Questions

Hi All,

Our MFA project has hit a few snags and our senior leadership is asking us to gather more information from other 
schools to identify and potential issues.

Rather than Duo, the university opted for Microsoft and although mostly smooth so far, we still have some nagging 
problems that keep coming up.

One that has come up as of late is modern auth support for android email.  Seems like 3 months ago, the answer for 
anyone with an android was install the Outlook client.  What we have been finding is that Samsung phones, for example, 
S7 or later that have a minimum email client version of 6.1.01.0 work with modern auth.  Given the rabbit hole that 
androids can make. We are now being asked to test as many makes, models and versions of android phone that we can get 
our hands on.  If anyone has done this research, we would appreciate any insight.

I've asked this on a previous post but got no responses but thought I'd ask again regarding exception groups.  Our 
current stance is to except Board members, Council of Regents and alumni. We would be interested in seeing what other 
schools are doing.

Lastly if you would be kind enough to share any pitfalls, constraints and roadblock as well as implementation 
recommendations, we would greatly appreciate it.

Thanks in advance.


James Pardonek, MS, CISSP, CEH, GSNA
Associate Director
Chief Information Security Officer
Loyola University Chicago
1032 W. Sheridan Road | Chicago, IL  60660

*: (773) 508-6086

Loyola University Chicago will never ask you for your username or password.
For the latest information security news at Loyola, please follow us online,
Twitter: @LUCUISO
Facebook: 
https://www.facebook.com/lucuiso/<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Flucuiso%2F&data=02%7C01%7Cgwillia5%40UCCS.EDU%7Ca998e883225c4d0ca72c08d7a9868857%7C529343fae8c8419fab2ea70c10038810%7C1%7C0%7C637164267603514502&sdata=8%2F0%2BcCLr8rqSIeqGzoOxK6HAPwaNAG1iEBykIdCr%2F5c%3D&reserved=0>
Our Blog http://blogs.luc.edu/uiso/


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cgwillia5%40UCCS.EDU%7Ca998e883225c4d0ca72c08d7a9868857%7C529343fae8c8419fab2ea70c10038810%7C1%7C0%7C637164267603519493&sdata=GmdezQhi3Eq20lwyBI%2BTNxEg3OJTMe3s24zanhBD9Tw%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community